Snort mailing list archives
Re: Errors this morning
From: "Matt Olney" <molney () sourcefire com>
Date: Thu, 27 Nov 2008 11:31:11 -0500
Can you try paste a rule (say...the rule on line 921) so we can check
the PCRE...my guess is that it may use one of the new PCRE options
available in Snort 2.8.3, and your version won't support them. The
following are the ones that might cause issues:
case 'P': pcre_data->options |= SNORT_PCRE_HTTP_BODY; break;
case 'H': pcre_data->options |= SNORT_PCRE_HTTP_HEADER; break;
case 'M': pcre_data->options |= SNORT_PCRE_HTTP_METHOD; break;
case 'C': pcre_data->options |= SNORT_PCRE_HTTP_COOKIE; break;
So, any PCRE that has a P, H, M or C at the end should only be
supported in Snort 2.8.3...
Matt
On Thu, Nov 27, 2008 at 9:43 AM, James Lay <jlay () slave-tothe-box net> wrote:
On 11/27/08 7:38 AM, "Joel Esler" <eslerj () gmail com> wrote: On Nov 27, 2008, at 9:27 AM, James Lay wrote: So here's what I saw: Nov 27 00:06:59 gateway snort[2685]: FATAL ERROR: /chroot/snort/etc/snort/rules/web-client.rules (921): unknown/extra pcre option encountered Nov 27 07:20:08 gateway snort[2984]: FATAL ERROR: /chroot/snort/etc/snort/rules/web-client.rules (925): unknown/extra pcre option encountered Nov 27 07:20:25 gateway snort[2989]: FATAL ERROR: /chroot/snort/etc/snort/rules/web-client.rules (1174): unknown/extra pcre option encountered Nov 27 07:20:53 gateway snort[2994]: FATAL ERROR: /chroot/snort/etc/snort/rules/web-client.rules (1178): unknown/extra pcre option encountered Nov 27 07:21:06 gateway snort[2999]: FATAL ERROR: /chroot/snort/etc/snort/rules/web-client.rules (1181): unknown/extra pcre option encountered Nov 27 07:21:20 gateway snort[3004]: FATAL ERROR: /chroot/snort/etc/snort/rules/web-client.rules (1183): unknown/extra pcre option encountered PCRE version is 4.5 James Also state what version of Snort and what version of the rules you are running. Joel Oops. Snort is 2.8.0 and using oinkmaster to download daily rules...think I'll upgrade snort first then see what happens..thanks Joel. James ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Errors this morning James Lay (Nov 27)
- Re: Errors this morning Joel Esler (Nov 27)
- Re: Errors this morning James Lay (Nov 27)
- Re: Errors this morning Matt Olney (Nov 27)
- Re: Errors this morning James Lay (Nov 27)
- Re: Errors this morning Joel Esler (Nov 27)